colinb444 has asked for the
wisdom of the Perl Monks concerning the following question:

I have a number of html forms in perl programs/subroutines in which i need to pass variables. No problem for most of the variables which are placed in 'hidden' fields. Two of the variables are the users username and password which i do not want to put in 'hidden' fields as this is not very secure.
The only thing i can think of doing is storing these variables in a tempory file in my cgi-bin directory and deleting it when the forms are finished.
My question is, would this be any more secure, or is there a better way of doing this.
Thanks

Two of the variables are the users username and password which i do not want to put in 'hidden' fields as this is not very secure

Eh? define "secure"... Does it mean that no-one will ever, ever be able to find out that information? or does it mean that it would never be worth anyone's while to find out that information?

To be honest, I think you're thinking in the wrong direction. You would certainly want to minimize the traffic of the users' names and passwords (ie never send the information more than once), and you should encrypt information while it's in transit (ie use SSL). The differences in security of HTML hidden fields and any other type of (HTTP) transmission I can think of are minimal.

The normal (and probably "best") way of doing it is something like this: offer the users an HTML form over SSL, in which they enter their identifying information -- their authentication -- you then check the supplied credentials, assign privileges -- their authorization -- and give the user a token (often an HTTP cookie) which you can verify to be correct and unmolested (eg via cryptographic signatures). That way, the username and password is only entered and passed once, and you check the validity of the cookie at each subsequent stage.

That's enough parentheses for one post... happy new year.

davis

Kids, you tried your hardest, and you failed miserably. The lesson is: Never try.

My question is, would this be any more secure, or is there a better way of doing this.

There are more ways of doing this than you'd might imagine.
Some ways are quite inventive. Let me run a few by you:

Persistant Storage: If you have the means of
implementing some sort of persistant storage and creating
unique ids for given sessions (see CGI::Session)
then you can set up something like a database table where
you store values and keys. A table might look like:

You'd then store the values and retrieve them between pages
as appropriate. You'd also need some logic in place in your
code that detects that a session has expired and cleans
that table out periodically of expired information.

Encryption: I've seen more than one scheme
used by application programmers where the hidden fields
were actually encrypted between pages. Seems like a lot of
trouble to go to from where I sit, but it is a valid
approach. The encryption key would be stored on the server
and something like Blowfish used for encryption/decryption.

There's two approaches, I'm sure other monks can come
up with other ways.

The most secure way of protecting data is to not transfer it at all. Is there a way you can avoid passing the password, at least? If it were me, I'd encrypt the username then pass only that data instead of the user/pass combo.

As far as encryption goes, it's scaleable depeding on how secure you want to make it. If you just want a light encryption that's very easy, but not incredibly secure, you should explore MIME::Base64. Technically, it's an encoding and not a true encryption, but I think it's good enough to keep the most unsophisticated snoopers (aka average web users) at bay. At the very least, they can't just type in random plain-text usernames to see if they get lucky.

If you want more than this super-basic method, then you'll need to follow the links in the other replies.

When putting a smiley right before a closing parenthesis, do you:

Use two parentheses: (Like this: :) )
Use one parenthesis: (Like this: :)
Reverse direction of the smiley: (Like this: (: )
Use angle/square brackets instead of parentheses
Use C-style commenting to set the smiley off from the closing parenthesis
Make the smiley a dunce: (:>
I disapprove of emoticons
Other